Code injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program. When that code is interpreted and executed by the application, Code Injection can cause data loss or corruption, lack of accountability, denial of access, and even a complete host takeover.
These types of attacks are usually made possible due to an application’s lack of proper input/output data validation. Code injection differs from command injection in that an attacker is only limited by the functionality of the injected language itself. For example, if an attacker is able to inject PHP code into an application and have it executed, that injection is only limited by what PHP is capable of.